Hi,
Implemented option to set EL method to conditionally enable remember me per
request. Example:
@RememberMe(
cookieMaxAgeSeconds = 3600,
isRememberMeExpression ="this.isRememberMe(httpMessageContext)"
)
@RequestScoped
public class TestAuthenticationMechanism implements
HttpAuthenticationMechanism {
See:
https://github.com/arjantijms/mechanism-to-store-x/blob/master/app-custom-rememberme/src/main/java/test/TestAuthenticationMechanism.java#L19
Implementation is fairly trivial. The interceptor creates an ELProcessor
and sets the CDI ELResolver on it and two custom beans:
ELProcessor elProcessor = new ELProcessor();
elProcessor.getELManager().addELResolver(beanManager.getELResolver());
elProcessor.defineBean("this", invocationContext.getTarget());
elProcessor.defineBean("httpMessageContext", httpMessageContext);
See:
https://github.com/arjantijms/mechanism-to-store-x/blob/master/jsr375/src/main/java/org/glassfish/jsr375/cdi/RememberMeInterceptor.java#L163
The ELProcessor is then used to evaluate the expression from the annotation:
isRememberMe = (Boolean)
elProcessor.eval(rememberMeAnnotation.isRememberMeExpression());
And based on that the remember me cookie is written or not.
Kind regards,
Arjan Tijms
On Sun, Jan 17, 2016 at 2:42 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> Hi,
>
> Haven't gotten a response on the below yet, so I'll try to continue today
> with the EL option. It's a draft proposal anyway and with the enormously
> useful ELProcessor from EL 3.0 it should be almost trivial to implement.
>
>
>
> On Tue, Jan 12, 2016 at 10:05 PM, arjan tijms <arjan.tijms_at_gmail.com>
> wrote:
>
>> @RememberMe(
>> isRememberMe="#{testAuthenticationMechanism.isRememberMe}"
>> )
>> @RequestScoped
>> @Named
>> public class TestAuthenticationMechanism implements
>> HttpAuthenticationMechanism
>>
>>
>> or using an annotated method on the same type that has the @RememberMe:
>>
>> @RememberMe
>> @RequestScoped
>> public class TestAuthenticationMechanism implements
>> HttpAuthenticationMechanism {
>>
>> @IsRememberMe
>> public boolean isRememberMe() {
>> return true; // or do whatever custom logic is needed
>> }
>>
>> // ...
>> }
>>
>>
>> Thoughts?
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>>
>> On Tue, Jan 12, 2016 at 1:19 AM, arjan tijms <arjan.tijms_at_gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I created a new issue here and linked it to the authentication mechanism
>>> story. If you or anyone else it's better to have this be its own top-level
>>> story I can change that of course.
>>>
>>> I hope to succeed in prototyping an initial version soon.
>>>
>>> Kind regards,
>>> Arjan Tijms
>>>
>>>
>>>
>>> On Mon, Jan 11, 2016 at 7:18 AM, Werner Keil <werner.keil_at_gmail.com>
>>> wrote:
>>>
>>>> Arjan,
>>>>
>>>> Thanks for the Initiative.
>>>> Would you create a new Story for that in Jira?
>>>>
>>>> Cheers,
>>>> Werner
>>>> Am 10.01.2016 22:00 schrieb "arjan tijms" <arjan.tijms_at_gmail.com>:
>>>>
>>>>> Hi,
>>>>>
>>>>> One of the extra features that I was looking at for the initial EDR is
>>>>> a "remember me" facility.
>>>>>
>>>>> "Remember me" means that a caller initially authenticates with normal
>>>>> credentials, after which the container stores the authenticated identity
>>>>> (name + roles) somewhere and sends back a cookie with a token.
>>>>>
>>>>> This facility is not entirely trivial and goes a little beyond the low
>>>>> hanging fruit that Alex asked for. Still I'd like to give it a shot, but
>>>>> obviously this hasn't the highest priority and I would be okay with moving
>>>>> this to a later EDR.
>>>>>
>>>>> The design I was now thinking about involves the following:
>>>>>
>>>>> * Interceptor for the validateRequest and clearSubject methods
>>>>> * A special type of IdentityStore that has additional
>>>>> generateToken(String caller, List<String> groups) method and
>>>>> removeToken(String token) methods
>>>>> * Some helper code for setting/clearing cookies
>>>>>
>>>>> It would be essentially like the AutoApplySession interceptor, but
>>>>> using a user provided storage instead of the HTTP session. See
>>>>> https://github.com/arjantijms/mechanism-to-store-x/blob/master/jsr375/src/main/java/org/glassfish/jsr375/cdi/AutoApplySessionInterceptor.java
>>>>>
>>>>> Thoughts?
>>>>>
>>>>> Kind regards,
>>>>> Arjan Tijms
>>>>>
>>>>>
>>>
>>
>